Illuminating shadow passwords
Why shadow passwords? Simply put, the shadow password scheme addresses the major shortcoming of the original Unix password-handling scheme, the fact that the password list was stored as a world-readable file.
The encoding mechanism for Unix passwords was (and is) very secure, being a one-way algorithm and therefore easy to apply but impossible to reverse. However, the password file itself is vulnerable to a cracking technique known as a dictionary attack, in which all the words from a large dictionary file are encoded and compared with the encoded password (readable by any user, remember) in /etc/passwd. This dictionary file is usually based on a normal English-language dictionary, with the addition of slang and weak passwords like "gandalf," "xyzzy," "qwerty," or even (God help us) "password." If the two match, then the original unencoded word is the password.
This may sound simple, but it takes a while to run the tens, or hundreds, of thousands of dictionary entries against a single password. Still, it is not extremely difficult with today's high-performance computing systems. Shadow passwords retain the Unix password mechanism and its backward compatibility with the huge Unix application base, while preventing the dictionary attack.
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Sign up »
Ease integration of Unix, Linux and Windows-based computers
Surviving Windows is easier than you think… MKS offers the power of an integrated all-in-one environment and provides you with the Power of UNIX on Windows
Learn More
Brought to you by: |
We have 5 copies of these two new books to give to some lucky readers. The deadline for entries is November 30, 2009.
|
iPhone for Programmers: An App-Driven Approach |
 |
The Google Way |
Priceless! The 25 Funniest Vintage Tech Ads
My oh my, how things have changed. These 25 vintage tech ads are guaranteed to take you back -- and, in most cases, remind you how truly terrible our tastes once were. Click ahead, and enjoy the shame-free trip down memory lane.
AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.
In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.
On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.
